Washington State is considering sweeping legislation (SB 5376) to govern the security and privacy of personal data similar to the requirements of the European Union’s General Data Protection Regulation (“GDPR”). Under the proposed legislation, Washington residents will gain comprehensive rights in their personal data. Residents will have the right, subject to certain exceptions, to request that data errors be corrected, to withdraw consent to continued processing and to deletion of their data. Residents may require an organization to confirm whether it is processing their personal information and to receive a copy of their personal data in electronic form.

Covered organizations will be required to provide consumers with a conspicuous privacy notice disclosing the categories of personal data collected or shared with third parties and the consumers’ rights to control use of their personal data. Significantly, covered businesses must conduct documented risk assessments to identify the personal data to be collected and weigh the risks in collection and mitigation of those risks through privacy and cybersecurity safeguards. …

The National Labor Relations Board (NLRB or Board), which continues to apply an ever expanding standard for determining whether a company that contracts with another business to supply contract labor or services in support of its operations should be treated as a joint employer of the supplier or contractor’s employees, is now considering whether a company’s requirement that its suppliers and contractors comply with its Corporate Social Responsibility (CSR) Policy, which includes minimum standards for the contractor or supplier’s practices with its own employees can support a claim that the customer is a joint employer. …

Employers are well advised to review the full range of their operations and personnel decisions, including their use of contingent and temporaries and personnel supplied by temporary and other staffing agencies to assess their vulnerability to such action and to determine what steps they make take to better position themselves for the challenges that are surely coming.

Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including broker-dealers, investment companies, and investment advisers—to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records. In the last few years, the SEC has become increasingly vocal about cybersecurity compliance. For example, SEC Commissioner Luis A. Aguilar, in his speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” noted that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.” It should come as no surprise, then, that the SEC recently announced that cybersecurity compliance will be one its selected examination priorities in 2016. The inspection and examination priorities selected by the SEC “reflect certain practices and products that [the Office of Compliance Inspections and Examinations] perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.” The recent announcement is a natural continuation of the SEC’s focus on cybersecurity in the financial services industry.

In April 2014, after holding a roundtable discussion with industry representatives, the SEC announced a series of examinations to identify and assess cybersecurity risks and preparedness in the securities industry. In February 2015, the Financial Industry Regulatory Authority (“FINRA”) released a “Report on Cybersecurity Practices.” As FINRA observed, the frequency and sophistication of cyber attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat.

Subsequently, in September 2015, the SEC launched a second initiative to examine the cybersecurity compliance and controls in place at broker-dealers and investment advisory firms. The SEC expressed concern regarding public reports that had identified cybersecurity breaches related to weaknesses in basic data controls. As a result, this second initiative focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident responses.

Shortly thereafter, the SEC announced that a St. Louis-based investment adviser had agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients. At the time, an SEC representative emphasized that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients . . . Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” Without admitting any wrongdoing, the firm agreed to cease and desist and pay a $75,000 fine.

In the recent statement, the SEC indicated that, to advance the efforts announced last September, the 2016 examinations will be looking at structural risks and trends that may involve multiple firms or entire industries. The examinations will include the testing and assessment of the implementation of procedures and controls at the target companies. Companies subject to the SEC’s jurisdiction are therefore well advised to make cybersecurity and data privacy a priority in their own compliance regimes.

In previous articles and postings, we have cautioned that legislative policy of the Dodd-Frank Wall Street Reform and Consumer Protection Act threatens to circumvent corporate compliance programs and drive whistleblowers having vital information outside the organization in the hope of receiving rich bounty awards. In a recent article published by Bloomberg Law Reports®, Allen Roberts discusses some of the challenges businesses subject to SEC jurisdiction need to address in the face of the SEC’s Final Rule – mindful that the plaintiffs’ bar has geared up to capitalize on new opportunities.